1.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64345

CVE-2025-64345: Wasmtime provides unsound API access to a WebAssembly shared linear memory

Impact

Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host.

Wasmtime has a wasmtime::Memory type which represents linear memories in a WebAssembly module. Wasmtime also has wasmtime::SharedMemory, however, which represents shared linear memories introduced in the WebAssembly threads proposal. The API of SharedMemory does not provide accessors which return &[u8] in Rust, for example, as that's not a sound type signature when other threads could be modifying memory. The wasmtime::Memory type, however, does provide this API as it's intended to be used with non-shared memories where static knowledge is available that no concurrent or parallel reads or writes are happening. This means that it's not sound to represent a shared linear memory with wasmtime::Memory and it must instead be represented with wasmtime::SharedMemory.

There were two different, erroneous, methods of creating a wasmtime::Memory which represents a shared memory however:

The wasmtime::Memory::new constructor takes a MemoryType which could be shared. This function did not properly reject shared memory types and require usage of SharedMemory::new instead.
Capturing a core dump with WebAssembly would expose all linear memories a wasmtime::Memory. This means that a core dump would perform an unsynchronized read of shared linear memory, possibly leading to data races.

This is a bug in Wasmtime's safe Rust API. It should not be possible to cause unsoundness with Wasmtime's embedding API if unsafe is not used. Embeddings which do not use the wasm threads proposal nor created shared memories nor actually share shared memories across threads are unaffected. Only if shared memories are created across threads might an embedding be affected.

Patches

Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via Memory::new and shared memories are now excluded from core dumps.

Workarounds

Embeddings affected by this issue should use SharedMemory::new instead of Memory::new to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default. It's recommended to upgrade to a patched version of Wasmtime, however.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64345

CVE-2025-64345:

1.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wasmtime	rust	>= 38.0.0, < 38.0.4	38.0.4
wasmtime	rust	>= 37.0.0, < 37.0.3	37.0.3
wasmtime	rust	>= 26.0.0, < 36.0.3	36.0.3
wasmtime	rust	< 24.0.5	24.0.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in how the Wasmtime Rust API handles WebAssembly shared linear memories. The core issue is that wasmtime::Memory, a type designed for non-shared memories with safe, unsynchronized access, could be used to represent shared memories. This is unsound because shared memories can be modified by multiple threads concurrently, and unsynchronized access can lead to data races in the host application.

The analysis of the provided patch identified two key functions where this unsound behavior was permitted:

wasmtime::Memory::new: This constructor function allowed the direct creation of a wasmtime::Memory object from a shared MemoryType. The patch rectifies this by adding a check to explicitly forbid shared memory types, forcing the use of the correct wasmtime::SharedMemory::new constructor.
wasmtime::WasmCoreDump::new: This function, used for creating core dumps, would iterate over all memories in the store and include them in the dump. This process treated shared memories as standard wasmtime::Memory objects, creating a risk of data races during the dump's creation. The patch mitigates this by filtering out and excluding shared memories from the core dump.

Both functions are entry points for the same fundamental flaw: incorrectly applying the wasmtime::Memory abstraction to shared memory. An attacker could trigger this by crafting a WebAssembly module that uses shared memory and then either explicitly creating a Memory object or triggering a trap that generates a core dump.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64345: Wasmtime provides unsound API access to a WebAssembly shared linear memory

Impact

Patches

Workarounds

CVE-2025-64345:

1.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-64345: Wasmtime provides unsound API access to a WebAssembly shared linear memory

Impact

Patches

Workarounds

1.8

1.8

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI